Introduced in 1996 to help deal with medical fraud, the Health Insurance Portability and Accountability Act (HIPAA) has since grown significantly. However, one fact remains the same: every health care organization or medical professional who does not follow the standards set by HIPAA on patient data protection is likely to get slapped with a hefty fine. This article discusses what the company needs to know about HIPAA compliance in 2019 to remain obedient and avoid punishment.
We assume basic knowledge about HIPAA – if you are not familiar with health care regulations, you can read more about what HIPAA complies with here.
Potential changes to HIPAA in 2019
Because of changes in patient data, especially Electronic Health Records (EHRs), there is a need to make changes to HIPAA to improve data sharing and coordinated care. For this reason, the Office of Civil Rights (OCR) has requested that health facilities under the scope of HIPAA provide feedback on areas in action that require renewal.
OCR mainly targets HIPAA privacy rules, specifically clauses that limit coordinated care and the transition to value-based health services. Also, the OCR aims to make changes to privacy rules to support efforts aimed at combating opioid threats in the US.
How is HIPAA upheld today
2018 was a record year for HIPAA enforcement. Total fines and settlements reached more than $28 million, representing an increase of around 22% from the impressive 2016 record.
This trend is expected to continue as the OCR increases efforts to enforce HIPAA in 2019 and beyond. Delays in providing medical records to patients, refusing access to medical records, and charging excessive fees to patients are areas that tend to face new law enforcement efforts. The OCR is also expected to increase enforcement and penalties for compliance violations which include lack of protection, absence of HIPAA policies and procedures, unauthorized PHI disclosures, poor risk management, failure to start through risk analysis and lack of business partner agreements. Email data violations also tend to attract higher penalties in the coming months.
Embracing HIPAA compliance should not be different from developing a modern data security plan. The following steps will keep you on the right track to meet compliance requirements:
1) Start with a thorough risk assessment and gap analysis
Your journey to HIPAA compliance must begin with a thorough evaluation of your electronic health record (EHR) to ensure compliance and minimize risk. The best results will come from third-party experts with experience in health safety and compliance.
When you hire a consultant, they will start by evaluating your security program to ensure that it complies with HIPAA regulations and determine whether they are ready for ‘certification’. It should be noted that the OCR does not authorize compliance but has established this role for independent organizations.
After the assessment, your in-house consultant or team must produce a comprehensive report that includes:
- The security status of your current organization concerning the OCR audit protocol
- The best recommendation for risk remediation
- Steps that must be followed to achieve certification
2) Risk remediation and overcoming compliance gaps
Based on the consultant’s report, you must begin immediate action to fill in the gaps in your security program. A qualified consultant will be able to help you develop policies, programs, procedures and standards for implementing critical security practices and controls.
3) Adopt automatic compliance reporting
Evaluation standards for HIPAA require organizations covered by regulations to document technical and non-technical assessments to measure whether they are following established standards. This task is easily achieved through compliance and security reporting solutions. Many security management solutions offer additional predetermined event reports, such as reports based on data types and data sources; thus increasing efficiency in your daily monitoring and reporting. Choose a flexible and intuitive interface that allows you to manipulate data quickly.
The automatic compliance reporting solution you choose must offer centralized visibility of local and cloud assets, threats, recorded data from firewalls, cyberattack vulnerabilities, and other vital security tools that will provide sufficient data to group and maintain continuous compliance.
4) Implement monitoring protocols for violation notifications
According to the violation notification rules, all entities covered by HIPAA and their partners must report any violations related to health information that is protected without warranty. The security management platform must be able to make detection, monitoring and responding to violations simple and fast. Because most health service organizations move data and applications to the cloud, you must make sure the technology of choice provides threat detection in both multi-cloud and on-premises environments.
5) Continuous risk evaluation and management
Whether you manage HIPAA compliance internally or you have outsourced tasks, the monitoring process must be ongoing to avoid last-minute rushes for annual assessments and audits. The program must offer real-time visibility from your environment.
Maintaining HIPAA compliance is not an easy task; it demands a lot of attention. If you choose to work without a health security consultant, adhering to HIPAA compliance may take a lot of time and result in data violations that will endanger the security of your patient data. But with the right technology, people and the process of achieving HIPAA compliance is an easy task.